What is the purpose of maintaining a visitor log in this context?

• A. To record only the name of the visitor.
• B. To record the visitor's company but not entry times.
• C. To track only the times of entry.
• D. To maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted, including the visitor's name, firm represented, and onsite personnel authorizing access.

Answer: (D)

Maintaining a visitor log provides the physical audit trail needed for accountability and traceability of who accessed sensitive areas that store or transmit cardholder data. In PCI DSS terms, access to the cardholder data environment and related facilities must be documented so you can verify who entered, when they did, and who authorized their access. A log that includes the visitor’s name, the firm represented, and the onsite personnel who approved the visit gives a complete record for security reviews, incident investigations, and audits. Recording only a name, or only entry times, or only the company without authorization context, would leave gaps in who had access and under whose authority. This comprehensive approach best meets the goal of controlling and auditing physical access to sensitive spaces.